191 comments

[ 2.8 ms ] story [ 241 ms ] thread
Would be curious to hear criticisms of Tails, if anyone has opinions about it.

To be clear, I'm a fan of the product -- just wondering what the other side of the story is.

There may be a security advantage to using a separate non-bypassable network appliance that puts your traffic on Tor, since then it would be much harder to break into a Tails machine and make it leak your location. However, given that it's meant to be easy to use, I think they probably picked the right balance by having the Tor redirecting occur in the same address space as the computing environment.
All known law enforcement attacks against Tor have involved some kind of exploit (e.g., in Tor Browser) that creates a non-Tor connection to collect the user's IP. Tails does not protect against this. Whonix provides much stronger protection against practical, real-world attacks, since the entire operating system is forced through a Tor connection.
It’s probably important to note that as I understand it, these attacks have generally been Firefox zero-day exploits that have made its way in because the Tor Browser is based on Firefox ESR with patches.
Darknet sites should be on something with a much smaller attack surface like the pages from the Gopher or Gemini protocols.
Tails has the entire OS as Tor connections only, an escape from the Tor browser would still be stuck in a Tor only OS.

What information do you have to the contrary?

I mean yes and no.

Assuming there was an exploit that broke out of the Firefox sand box you are correct that any connection is via tor.

Though tails isn't 100% sure, you could chain a Firefox cve + user land to root and then turn off the to routing rules.

administrator/root is turned off by default, and even if the user turned it on during boot, they would still have to be tricked into approving or putting in their password again, am I missing something about the veracity of possible exploits?
(comment deleted)
Tails includes an "Unsafe Browser" which connects in the clear. So on top of a Firefox exploit, you would need another exploit to launch that browser or an exploit to escalate to root and tamper with the firewall rules. At least one Tails user has been successfully targeted like this ("an exploit taking advantage of a flaw in Tails’ video player to reveal the real IP address of the person viewing the video").[1] With Whonix, even an attacker with root would not be able to make a non-Tor connection because the firewall runs on a separate virtual machine.

[1] https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-h...

wow! that story is wild I totally missed that during the pandemic. now I'm no longer annoyed at always having to update tails the few times I boot it up.

but yeah probably going to prioritize Qubes and whonix again.

I left a comment in this thread of a non-root deanonymizing, Tails specific exploit that bizarrely went unpatched for multiple years.
I'm wary about even Googling it because I swear I heard you are tracked in the US for even Googling it, or downloading it, or even reading on Wikipedia. It sounds laughable when I type it to be honest, but hey. I feel I have better hills to die on.
Tails didn't patch a non-root exploit that could leak the users real IP by bypassing the firewall without them knowing it for 3 years. I do not understand why Tails is recommended over Whonix (specifically Qubes-Whonix, thus with a trusted TCB).

> The Unsafe Browser allows to retrieve the public IP address by a compromised amnesia user with no user interaction

https://gitlab.tails.boum.org/tails/tails/-/issues/15635

Is it new or something? This is the second time I've heard about it in 24 hours, and had never heard of it before.
Was pretty popular circa 2012 for dissidents in some countries
It's been around for a while, but interesting to see this and a Fireship video on it the same day. I was wondering if they did some new release or something but doesn't seem like it
It seems like a growing number of things once referred to as Linux distributions are now referring to themselves as operating systems. If the kernel is Linux, and the user-space is GNU, what makes this a distinct operating system from, say, SUSE, or Arch?
The userspace is so diluted now that it’s basically flat out wrong to say it’s just ‘GNU’, I mean Systemd is probably an even bigger a part than GNU is now, and we’ve long had things like OpenSSH from BSD as pretty core parts of the system, and we’re not going to start calling a distribution ‘Kubuntu Linux/Systemd/GNU/BSD/KDE’ or whatever…

Basically about all something needs to be to be called an OS is a kernel and at least one userspace program that does something useful, so I’d definitely say every ‘Linux distribution’ has always counted as an operating system in itself (so ‘Linux distribution’ is just a specific subset of ‘operating systems’).

I like to thing of GNU/Linux as Linux with glibc. There’s software that only runs with glibc (eg: steam), and software that runs with various libc (eg: Firefox).

I’m not sure that it’s a widely accepted definition, but it’s often useful to describe what a software depends on. Does it require _just_ Linux, or does it also require glibc?

You could make the argument that this is more of a GNU + Linux than an operating system unto itself.
A distribution focuses on the distribution part (eg: a package manager, repositories, etc).

Some distributions are operating systems (eg: OpenBSD, ArchLinux, Debian). Some operating systems are not distributions (they don’t include a mechanism to pull packages. Eg: windows, macOS). Some distributions are not operating systems (eg: homebrew, Flatpak).

Tails focuses on the operating system side of things. It’s focus isn’t on package distribution and letting you install things, but on downloading a usable OS image. It’s still a distribution, but that’s more of a technicality.

I'd say the reason for that is marketing, or branding, or positioning the product, which are, as you wrote, essentially Linux distributions.

I find that even combinations that are supposed to be very similar (Linux kernel, same DE, same repos) can behave differently, and I guess this is because of how the distro maintainers set up the different parts and integrations in the system. So in this way, my MX Linux box is different from my Debian+KDE box.

The fact that it still does not support an incredibly popular portable computer like the raspberry pi (or anything that ins't intel) saddens me.
I agree, and you have to make the PRs you want to see. I don’t think this project of free software has a big (or perhaps any) budget!
I'm so tired of seeing this argument. Most "big" open-source projects are well funded. Usually the reason they don't support <<obvious thing>> is poor leadership, not funding.

Over the past two years Tails has received 500k USD in bitcoin alone:

https://www.blockchain.com/explorer/addresses/btc/bc1qjg53lw...

You can also surmise that they receive ~200k/yr from official sponsors:

https://tails.net/sponsors/index.en.html

Then you have all the paypal, bank, cash donations.

Is it enough to add support for a second arch that is fully supported upstream (they ship a customized Debian)? You decide.

I'd guess it is a matter of priorities (do you want the safest, best-tested environment, or something less tested?).

However, assuming the source is easily bootstrappable, someone should try producing an unofficial port to Arm and Risc V. I'm sure it would reveal some security holes, even if it isn't appropriate (yet) for tails' target audience.

I might be wrong but I think this was a project originated by one of the branches of the US armed forces or security services?

In which case, it should be pretty secure.

Although, there's the obvious 'honeypot' concern.

But maybe I'm thinking of another distro, that ran from RAM and didn't write anything to disk.

I know the TOR project was started by the US navy, and that now I2Pnis the preferred method of browsing the darknet, because many people believe it has been compromised.
In the same manner that parts of the NSA are interested in secure cryptography as opposed to breaking it, parts of the Navy were interested in anonymizing traffic as opposed to de-anonymizing.
> and that now I2Pnis the preferred method of browsing the darknet

This is not true by any means. A "switch" to I2P never happened, and just a few months ago an exploit[1] that could deanonymize eepsites was published. Tor is still the only "method of browsing the darknet"; by most definitions.

[1]: https://xeiaso.net/blog/CVE-2023-36325

Ok, I haven’t tried it out in a while so thx
The TOR software is likely no more compromised than GNU/Linux generally -- the TOR _network_ is likely compromised by flooding it with honeypot servers that can track users by monitoring origins and destinations.
Distrowatch is a good place to get a brief overview of pretty well every Linux distribution ever made, with links and a bit of background info on each:

https://distrowatch.com/

The Internet also originated from the US military, among many other things. So tired of this FUD.
That's a false equivalency. The military invented a network that inspired the Internet. We're not all using ARPANET to send emails.
Not sure what you’re saying there…the Internet grew out of ARPANet, it’s not a separate thing. Is the oak tree “inspired” by the acorn?
I think that's an incorrect oversimplification. The Internet didn't grow from ARPANET like a seed grows into a tree. ARPANET didn't become bigger and bigger until it became the Internet. The Internet was the merger of many networks and many of them never communicated with any computer in ARPANET and we're developed with absolutely zero funding from the United States government.
I guess it’s a matter of interpretation. Of course every computer connected to the internet is not government-funded. But in this context we’re talking about the origin of the technology and protocols that allowed the network to exist at all. By the time the internet got bigger than ARPANet, CSNET, and NSFNET (all government funded), the protocols were pretty much settled, and that’s what everyone else’s network used to become part of the internet. If the government hadn’t gotten it to that point, there would be no internet.
Tails was "FUNDED" by the TOR project, which was started by the US Navy. So, not really...
I can't validate if you are wrong or not. Just bring to your attention that one of their marketing slogan is "Amnesia" and "Persistent Storage on a USB stick". https://tails.net/about/index.en.html

The 'honeypot' concern is somehow valid because full-on privacy on the internet is as hard to achieve as privacy in a public park. Only its user can determine if their online activities goes against the (legal/moral/financial) interests of the most technically-advanced nation on our planet.

The Tails team made the fantastic decision of modifying the Tor Browser, giving Tails users a unique fingerprint as opposed to regular Tor Browser users.
(comment deleted)
Tails is great. I am using it for several years now.

Other related projects are whonix ( https://www.whonix.org ), which consists of two virtual machines:

A workstation to work on and a gateway, which torifies all traffic from the workstation VM.

Whonix is also integrated in Qubes OS ( https://www.qubes-os.org ), which allows you to easily work with multiple seperate whonix VMs. There is also the possibility to tunnel all internet traffic of your machine through Tor including system upgrades of the host OS itself.

Whonix/Qubes integration is excellent, and it's certainly a nice perk of Qubes.

To clarify the benefits of the "two VM" approach:

Most of the unmasking exploits against Tor users (as distinguished from unmasking Tor hidden services) involve getting a browser to ignore the proxy settings, somehow. I believe WebRTC, Flash, and various other things have been used to cause the browser to beacon out to some endpoint - you exploit the kitty picture site, and put in code to exploit the browser, which then makes a direct request to http://someip/unique_identifier - and, boom, you've got the user's IP, probable cause, the works.

This happens because a "typical" Tor install is the daemon running locally, but nothing prevents other binaries from making a direct connection out. You set the browser to use socks5://localhost:9050 or something as the proxy, but if you can either get some part of it to misbehave, or just spawn off a different process, it doesn't obey the proxy settings and goes straight out.

Whonix solves this problem by splitting the system into the workstation VM (what you interact with) and the gateway VM (that connects to Tor and "torifies" traffic). The only network port on the workstation VM is connected to the input port on the gateway VM - and everything coming in that port is routed through Tor, via the other (internet connected) port.

So, if you manage to exploit the workstation VM, the attacker still doesn't gain an IP - because they launch a shell that runs 'wget http://someip/unique_id', but that goes out through the gateway VM, and gets encapsulated into Tor before going out, so it still pops out some Tor exit node, not your home IP address.

It raises the bar rather substantially for using Tor, and avoids a lot of the various ways to get Tor to leak. Also, they ship a copy of the Tor Browser in Whonix, which disables a lot of high risk functionality and allows you to very easily disable automatic media parsing and Javascript and such.

Qubes is awesome, and the integrated Whonix stuff is just a beautiful integration.

> Whonix is also integrated in Qubes OS ( https://www.qubes-os.org )

Qubes-Whonix with fully ephemeral disposable VMs is the future. It would be a total killer for nearly every use case of Tails besides ease of use.

Note that this is in the works, but not fully implemented by default yet. https://github.com/anywaydense/QubesEphemerize

> The steps below outline how to make all PVH DispVM's permanently fully ephemeral. All data written to the disk will be encrypted with an ephemeral encryption key only stored in RAM. The encryption and encryption key generation is handled by dom0 and is thus inaccessible to the VM.

Tried to use it on my M1 MBA but it barfed. So I guess it is only for x86/64 architectures.
How does Tails help you avoid censorship?
Legit question. IIUC: On the publishing side, it allows people to say things with less fear of bad guys knowing who said them. On the audience side, it allows people to consume media with less fear of bad guys knowing they read it. Unfortunately, I don't believe it can ameliorate what most people think of as the censorship part, which is a guy with a black magic marker crossing out parts of things.
> it allows people to say things with less fear of bad guys knowing who said them

I see what you are saying, but AFAIK, the technology is neutral as far as good or bad goes. One could say it lets a person say and do things with less fear of consequences in general.

It's a Tor client. Bypassing censorship is one of Tor's design goals.
If you get canceled and ISPs refuse to give you service Tor is not able to somehow bypass that censorship. If the server your hidden service is hosted on is taken away in a raid. Tor doesn't help you there.

Providing limited protection from being deanonymized doesn't mean that you can no longer be censored.

Obviously! Assassination or imprisonment could also be considered censorship and tor or tails won't help. There are always edge cases. They are pretty explicit about their threat model and go into great lengths explaining it.

https://tails.net/doc/about/warnings/index.en.html

Is there anything Tails does to actively bypass censorship, or is it simply a result of the increased anonymity?

To me, it seems like it can only have limited utility in this regard. For example, Tails (and Tor) isn't going to help you avoid private sector censorship on services like X or Facebook or YouTube, right? It won't help you get a book published or reach an audience with a video.

I'm not really sure what you understand the word "bypass" to mean here?

Tor/Tails can certainly help someone who is experiencing censorship to publish a book or distribute a video in a different region where that censorship does not exist. That bypasses the censorship. For example someone experiencing censorship could contact a publisher or distributor in a different location and transmit the book or video to them.

If censorship exists on Twitter, publishing items to Twitter isn't bypassing Twitter's censorship. You may be bypassing automated censorship or some mechanism but Twitter would still be censored.

The same goes for books. There's no tool that is going to keep a book on the shelves of a library that wants to burn the book. Bypassing the library's censorship means getting the book to readers despite the library's censorship.

Tails OS is my daily driver for absolutely normal day usage and do legal stuff. (No tomfoolery involved)
I'm interested in why you chose this.

What are the main benefits you get from using Tails OS?

What downsides do you tolerate because of the benefits?

It would have to be pretty good at avoiding the usual privacy problems on the modern internet, right?
Does it not become cumbersome to use the web for normal usage without persistent cookies, history, bookmarks, ...? If you save those to persistent storage (if that's even possible, I imagine Tails has safeguards against shooting yourself in the foot), you lose one of the main reasons why people use Tails.
Love Tails, but I haven't used it in ten years. I have had Tails and Qubes disposable VMs on my mind though.

I switched off of Qubes last year to my own Alpine chroot with a hand crafted kernel and initrd that lives only in memory. I find turning off the computer when I'm finished and having it forget everything to be a very peaceful way to compute. I owe the internet a write up.

I feel like ramfs for root filesystems is an underused pattern more broadly. "Want to upgrade? Just reboot. Fallback? Pick a different root squashfs in the grub menu"

> I owe the internet a write up.

I would definitely be interested in reading more about this.

I love the idea of being able to prevent an application from writing all over my disk to random places. If I can't prevent it, I can at least remedy it by having all those changes go away with a reboot.

One of the things I love about Docker containers is that they can be ephemeral or persistent, short or long term, have full network access or no access, allowed to write to the host system or stuck writing to its own file system only.

I'm in control instead of the application.

Typically they can only write to home and temp. That can be improved via sandboxing, and there’s Little/Open Snitch as well.
Ages ago, I tried out Puppy Linux, that ran from a burned CD. If I made updates, it wrote another filesystem extent to the disc, and I think the loading process just used those to over-write files as needed until the boot completed.

I was thinking of it for a home firewall at the time, but in any case, it made for a very ephemeral system.

Same here. Dont understand why not more ppl switched to alpine on the desktop. It is my daily driver. Plus LXD for stuff I must do (typically spawn ubuntu, etc.)

my whole PDE (Personal Developer Environment) is within a container. Need python? Shell into (via dmenu) python container. All with complete neovim setup. Need a GUI? No problem. Spawn a container. My lxd profile is set up for this. Use chezmoi for heavy automated stuff.

My base alpine system always stays clean.

By any chance can you share how you do this practically?
+1 and from which IDE/text processor did you migrate from to neovim?
I also use alpine as the main/root environment. But I rarely use any applications from alpine. For that I have Arch, Fedora and Debian rootfs dirs into which I pivot_root with the help of bubblewrap (bwrap) in shell scripts. There is no overhead and the GPU can be easily attached. You can also dynamically attach ro/rw CWD and target paths (`for arg in "$@"`).

Everything that I care about just works and I get a separation of concerns. Use of network namespaces allows further flexibility. For example, I have a netns that is forced through a Tor gateway such that any traffic originating in it can only go through Tor.

This type of setup is not hardened against kernel vulnerabilities, the kernel treats applications running in namespaces as if they are isolated from other namespaces but those applications can still interact with broad surfaces of the kernel and therefore potentially exploit it.

For kernel safety applications must be denied direct access to the host kernel, this is usually achieved with virtual machines.

> For kernel safety applications must be denied direct access to the host kernel, this is usually achieved with virtual machines.

And that is what QubesOS does, if I understand correctly?

(comment deleted)
>why not more ppl switched to alpine

I think one reason might be musl and its compatibility.

What's so bad about musl? Everything works fine for me on Alpine.

My desktop is FreeBSD but I have a few alpine servers for docker and other Linux specific stuff.

And FreeBSD is even less Gnu-Linux compatible than Alpine yet everything works fine. Thanks to an army of port maintainers of course.

Do you have a separate neovim instance (config and all) in every container? Or a single neovim instance on the host which can access all container volumes? What about shell instances?
I containerized my neovim setup and I share my projects/ directory with it. Containers get a shared volume like projects/project/.

From my neomvim container I can use the local terminal or I can ssh to the host to run my other containers.

> Dont understand why not more ppl switched to alpine on the desktop.

Same. When I was looking for a minimalistic distro, while unorthodox it seemed better than the alternatives. My next choice would be Void but I ran into some issues with it, and Alpine worked much more flawlessly.

Because most people don't need a reason to. Why would they switch to alpine?
In NixOs it's called Impermanence:

https://nixos.wiki/wiki/Impermanence

Also NixOs has absurd levels of control for upgrades, rollbacks, and control over the build and resulting files.

Be warned; your hard drive may file for a divorce after a few years of daily-driving NixOS. It is both a blessing and a curse:

  $ smol@computer ~> du -hcs /nix/store/
  257G    /nix/store/
You... do regular GC, right?

I have 45G, and this computer is more than two years old

I have multiple flakes and a lotta CUDA drivers. In fairness though, this is after a few months of no manual GC. I think nix-collect-garbage could bring it down to ~120-150gb.

It's totally worth the stability, but maybe not the best choice for the storage-constrained.

EDIT: According to nix-tree my current generation is only 45gb right now.

I'm so sick of this claim. Nix allows you to keep old versions of things installed, but you certainly don't have to.

When I switched from Debian to NixOS a few years ago, I installed it on a separate subvolume, and it ended up taking almost exactly as much space as Debian did (about 12 GiB with gnome and everything else). And really, what would you expect? It's nearly all the same code, just organized differently in the filesystem.

P.S., you can check the store usage of the current system profile with `nix path-info -Sh /run/current-system`.

How do Tails and Qubes relate, any reuse of functionality?

(Tried Qubes as written up in [1] but eventually gave up as it won't allow me to create virtualbox images, and some other caveats, as well as being pretty resource hungry)

[1] https://bionics.it/posts/installing-qubes-os

> it won't allow me to create virtualbox images

What's the use case[1] for VirtualBox images in an operating system designed around virtualization with Xen? You can simply create a Xen VM.

[1]: Note that I'm asking a question here, not invalidating your experience.

I've been needing to create virtualbox images for use in some courses (teaching data science and the like) at my previous work. This usecase has popped up often enough that I feel O need to be able to do this on my main laptop.
I treat my web browser like this, and similarly have a docker container for all my development stuff. I like the idea of making the computer (almost) completely stateless.

How do you deal with stuff you want to store in /home? (Like source code checkouts, ssh keys, etc.)

(comment deleted)
I wish Tails ditched Gnome..
Tails is one of those tools I always keep on me physically. Added it to my key ring 6 years ago , and I get use out of it at least twice a month. Also started using it as a recovery ISO. But my main use case is when I have to use a computer but don’t have mine around . Just pop the USB in and voila all the access I need and my data stored in the persistent partition.
I also spent most of my internship long ago researching secure operating systems for the analysts of the company I worked for and Tails was the best fit with Qubes being second due to how power hungry it is. Another was subgraph but at the time it wasn’t properly developed. Overall if you need a OS that guarantees that all your traffic is anonymised via Tor and that it is ephemeral Tails is superb.
Your use-case sounds like you could be using any other live distribution. Why did you choose Tails over Knoppix, Mint, Ubuntu, Fedora, ... ?
(comment deleted)
I've heard bad things about Tails over the last few years.

What with the UK planning to pass that online safety bill, I decided to try out Whonix (which involved learning curves when it came to Linux), which I think is a better way of keeping safe online.

> I've heard bad things about Tails over the last few years.

Like what?

As one of the comments mentioned below, easy for someone to get your IP with an attack on the Tor browser. (Which was actually utilized by law enforcement to catch somebody iirc.)

Anecdotal evidence, but I've heard numerous complaints from other users about telemetry settings being enabled in the browser and locked.

But worst of all, it uses GNOME.

(comment deleted)
where is darknet opsec and the current state of things discussed?

I used to use Dread and various DNM forums to find people to talk with and read their threads. It was usually far more complex and nuanced than what I would find on clearnet

but its been like 2-3 years since any Tor services even worked reliably with this ongoing DDOS attack.

dark.fail has been down too

I hear people moved to i2p but WHERE?

I’d like to highlight the update process . I had a 2-3 year old installation and updated using the in-app updater. Update was a breeze and persistent storage was saved.

I recently had to dust off tails to do some dark web research on a data breach.

It’s a great “prophylactic” to protect your assets from possible malware while doing research.

There have been quite a few exploits in tails.

I suspect you're better off with a more obscure project, because then your adversary is less likely to have a 'ready to go' exploit.

Wouldn't that be security through obscurity? Which is bad security and a good way to be exploited. I thought that having more eyes on a system made it more secure because people find the exploits.
(comment deleted)
Also if you’re rolling your own, you’re way more likely to not keep updates perfectly and patch everything that comes up.
Depends how you roll your own; something lightly modified from a "normal" distro can just take upstream package updates and so put you in a good spot.
It depends. Monocultures are also bad for computer security, since the failure mode is catastrophic.

Ideally, there would be a few tails-style projects competing with each other (there are; see sibling threads), and the internet would be more federated (for instance, if github is completely compromised right now, many people reading this will git pull malware in the next day or so).

"Many eyes" is a failed philosophy. Even if many people could, theoretically, look at the code few actually do as evidenced by the Heartbleed defect in OpenSSL. One of the most critical pieces of software, used by literally billions of consumers and basically every trillion dollar company, and they missed glaring coding errors that any basic static analyzer would automatically tag. Nobody was looking at even some of the most critical code. The first failure is that you need people actually looking, which basically requires being paid to do full-time work (as most work on Linux is these days).

In addition, even if people are looking, finding defects is really hard. A random onlooker has basically a 0% chance to find most of the critical zero-days afflicting Linux. It takes weeks to months of dedicated effort by technical experts with domain knowledge to find most such bugs. "Many eyes" is worthless to security, what you need is many trained technical experts with domain knowledge using high quality techniques and processes derived from successful high security projects.

This is not to say that "security through obscurity" is a good thing or that "open source" has no impact. Open source and development does have a large impact, it is just mostly on your ability to trust the auditing/security process as a random third-party, not the security itself. The security itself demands focused technical ability. However, the ability to trust the security claims derives from a technical evaluation by a technically competent, trusted party. The easiest way to do that if you are technically competent is to do it yourself. However, few people have that sort of time, so you farm out the work. If you are a big company or the government, you can usually get access to the source code under appropriate contractual protection, then you have your own technical staff (technically competent, trusted party) do the evaluation. If you are a smaller company, you might not have any technical staff appropriate for the task so you farm it out to a testing body (technically competent) who can probably be trusted since you are paying them.

However, if you are just some random person, you do not have the money to pay for a evaluation and you have no way of knowing if "Totally Not the NSA Certification Company" can be trusted. So, your best bet is inherent transparency and hoping that the unaffiliated lookers are, on average, not your enemy and technically competent. This is a okay option if you do not have access to better choices, and certainly better than nothing, but is a far cry from the other options where you have real control, incentive alignment, and insight into auditing processes. Only a organization incompetent at security would not use one of the better options for critical dependencys. Unfortunately, basically every large commercial IT organization, such as Google, Microsoft, Apple, Amazon, Crowdstrike, etc. is incompetent at security and none of them actually evaluate their dependencies or do any meaningful third-party certifications.

Funnily enough, this means my advice is practically useless, because the security of everybody is completely untrustworthy. Your only hope is "many eyes" because that is the only way to get any trustable audit at all. In the physical industries you have standards and certification bodies worth more than the paper they are written on, but in software everything in security is total snake oil and you should only believe what you can see for yourself. Hope that helps.

Security through minority actually.
As always, depends on the threat model.
If I were wanting do do secure tor browsing, I would use a liveUSB of ubuntu, running virtualbox, running vmware, running tor. On the host ubuntu, I would run a 2nd instance of virtualbox, running vmware, running Chrome.

Networking will be set up so the Chrome inner VM can ssh to the tor VM. The tor VM can access only some whitelisted tor nodes.

Now an adversary that uses a Chrome exploit needs to break out of Windows and 2 layers of VM's before they get to my host. Breaking out of a VM is fairly doable, but breaking out of two will require lots of zero-days chained together (expensive).

Same if they find an exploit in tor.

It's a bit more secure if you use a proper write once DVD as well to read the live cd. It's a bit slower to boot but the best way to prevent persistence is always to make it virtually physically impossible by not having any physical storage mediums connected
I think the main concern of most tor-users is that their real IP address (and hence location) is leaked.

For that, just a run-of-the-mill firefox exploit is all that is needed, and suddenly exploit code can do a wifi scan and get a very precise location.

Honestly, if this is a serious concern and you're already willing to go to all the other trouble, you may as well do your most sensitive Internet browsing from your car, connecting only to public WiFi in parking lots, in cities you don't actually live in, and never stay connected for more than a few hours at at time. Or take a hint from history's most secure criminals and don't do any of this yourself at all. Use paid underlings who fear you more than they fear prison and are willing to do time rather than rat you out.
You've just independently developed something almost identical to the Whonix system. :) May as well use the pre-built VMs that do it for you.
Pre built VM's mean an adversary probably has pre-built exploits...
Tor servers were breached by the CIA/NSA, I would be careful
what's the alternative to Tor?
Physical world. Lol
More specifically, couriers to hand deliver your messages, like Al Qaeda had.
There are no real "alternatives"; but see I2P, Lokinet and Freenet for some other options.
Do you suggest that we trust our ISP instead, and pretend that they aren't compromised by default?
By breaches you mean these agencies own a ton of exit nodes?
Not just exit nodes, but guard and relay nodes as well. If they control all hops in the circuit, all your anonymity are belong to them.
You can increase the number of hops to make it very difficult. Guard nodes are pinned, so they might know who uses and who doesnt use Tor (doesnt matter if you arent using a bridge).

You can also set up your own exit/guard node and configure Tor accordingly. While not a recommended setup, it works pretty reliably.

I love the idea of Tails. It is unfortunate that it only runs on Intel macOS.

I consider my personal setup to be pretty good, but not Tails grade privacy: 1. Avoid installing apps, use Safari with all possible privacy settings. 2. Run Lockdown mode iOS, iPadOS, and macOS. 3. Use duck duck go and ProtonMail. 4. Prefer to run in Safari private browsing tabs. 5. Become non-private when logging into Amazon to make a purchase, etc.

I would love it if people more knowledgeable than I could critique my setup, make suggestions. Thanks in advance.

I would like to mention Cory Doctorow’s excellent new book The Internet Con [1]. It carries on in the fine tradition of the books Surveillance Capitalism and Privacy is Power for the narrative that regular law abiding people also benefit from doubling down on privacy.

[1] https://craphound.com/internetcon/

"It is unfortunate that it only runs on Intel macOS."

Tails runs on most computers. It doesn't have to be a "macOS" (you mean Apple?). macOS is an OS, tails replaces the OS.

It doesn't run on ARM macs. Which is all new macs.
Sure, but that's not what parent said. He said it only runs on "intel macOS", which is false. It works on non-Apple computers as well.

But I understand the miscommunication, parent meant to say "of the Apple computers, it only runs on Intel ones". There is a world outside of Apple, you know :-)

It's an emphasis thing. You can't tell in text where the emphasis is. In this case it was super clear that it was "intel macOS", but yea, it should have been "intel macs".
The conflation of "MacOS" with "Apple computer" is a problem that should be addressed.

Tails works on Intel arch. It does not work on ARM arch.

This has nothing to do with an Apple branded computer.

I misspoke. I know that it works on any Intel computer that you can plug a USB flash drive into.
Tails works fine on IBM-PC compatible laptops and desktops with Intel compatible chips, which is nearly all laptops. I presume you meant that Tails doesn't run on ARM Macs?

If you only have an ARM Mac, it's easy to get an old IBM-compatible laptop and run Tails. What matters is a decent speed of USB stick, and today they're generally decent. I find it helpful for testing some things, I can reboot and get to a known state.

Being blunt: your setup doesnt protect you from Apple. Websites will and does recognize you on every visit, both those done in private tabs and the usual ones. DDG and ProtonMail i cant comment on, but they are one of the better choices for the less tech-savvy/i-want-to-spend-my-free-time-having-fun. You have a pretty nice setup in terms of security, however.

If you want better protection for websites identifying you, you should consider researching on browser fingerprinting (which is extremely hard, if not impossible to do on Safari). If you want better protection overall, ditch Apple.

Sounds like its users have something to hide (sarcasm).